tanarch - stock.adobe.com
A group of security experts, organised through US-based nonprofit the Information Technology – Information Sharing and Analysis Center (IT-ISAC), have come together to pilot a “clear and concerted approach” to establishing a process under which the cyber community and providers of election technology such as voting machines can work together to enhance election security and help renew public faith in the political process.
Given the Russia-influenced cyber attacks that tainted previous elections in the US, and with the next presidential election a little over a year away, concerns are growing in many quarters that despite facing multiple criminal proceedings, disgraced former president Donald Trump may yet present an electable alternative to the current incumbent, Joe Biden.
But the core of the problem lies less in the world of misinformation, political intrigue and nation-state espionage, and rather in the nature of how elections are conducted in the US, a country that has made significant strides towards digitising its electoral processes. In doing so, it has increased the cyber risk to its political process in a way that countries such as the UK – where voting is still done with pencil and paper with votes counted manually – have not.
As such, the Election Security Research Forum (ESRF), which was set up five years ago, proposes to get out in front of the US electoral cyber problem, bringing together security experts and companies including ethical hacking firms Bugcrowd and HackerOne, Microsoft, and Protect AI, as well as nonprofits such as the Center for Internet Security, and former state and local election officials.
The project is being facilitated by IT-ISAC’s Elections Industry Special Interest Group (EI-SIG) and hosted by MITRE, which is opening up its own labs for technology testing. Approximately 20 cyber security researchers came together earlier in September at an in-person hackathon hosted by MITRE to do exactly that.
Read more about election security
- Polish senate committee alerts prosecutors over potential crimes by public officials involved in purchasing Pegasus spyware used to monitor and smear political opponents.
- An unknown threat actor who attacked the UK’s Electoral Commission had access to data on millions of UK voters for over a year, the watchdog has revealed.
- During an RSA Conference 2021 panel, the CISO for Maricopa County in Arizona, said misinformation posed a bigger challenge for election officials than actual cyber attacks.
The participating hackers probed both software and IT systems developed by three organisations, Election Systems & Software, Hart InterCivic, and Unisyn Voting Solutions, and the equipment in scope included digital scanners, ballot-marking devices and electronic pollbooks, with the primary focus being on the technology that Americans will encounter when they step into the voting booths in years to come.
Both the researchers and companies involved committed to following Coordinated Vulnerability Disclosure (CVD) policies and best practice, including timelines for public disclosure of any nasties they may find.
New vulnerabilities uncovered will be addressed through direct collaboration from all sides to evaluate whether or not they would impact the correct operation of the system in question. Additionally, the researchers and manufacturers will take into account if any existing compensating controls are in place to either reduce or eliminate the risk or severity of a validated vulnerability.
“This forum was a long time in the making and we are grateful and thrilled that it has come together,” said Scott Algeier, IT-ISAC executive director. “We are thankful to each election systems provider, researcher and advisory board member who has worked tirelessly to make this happen.
“The experience and lessons learned from the last three days are invaluable to the elections industry and to democracy. We look forward to the lasting relationships this forum has provided and what the future holds for more Election Security Research Forums.”
It is important to note that the technology assessed at the recent hackathon will not be deployed in time for the crucial 2024 election. Speaking to Computer Weekly Algeier explained that with little more than a year until the US goes to the polls in November 2024, it would take far too long to patch and recertify vulnerabilities in existing voting technology. “It would have been problematic using currently deployed technology,” he said.
The timelines for actual deployment of cyber-enhanced voting technology in a live election is down to the technology suppliers themselves, said Algeier, who declined to put a precise date on when this might be. According to the Washington Post, more secure voting machines could begin to be installed at polling stations by 2026, but no official date has been confirmed.
The technology used in US elections already conforms to a set of cyber and physical security guidelines described by the ESRF as “strict”, and must comply with federal testing and certification standards known as the Voluntary Voting System Guidelines, which are overseen by a body called the Election Assistance Commission (EAC). Most US states require compliance with these guidelines, and several have adopted even stricter methods.
Some of the measures already mandated under the guidelines include system-hardening, role-based access and multi-factor authentication; the use of hardened and encrypted flash drives to protect voting information in transit from polling stations; and strict internal security training. On the physical side, measures include 24/7 video surveillance of storage facilities where equipment is kept; secure containers to house it in transit; and the use of tamper-evident seals.
As such, the ESRF said, voters should be able to trust the equipment they use to cast ballots because of the robust and accountable design of the process. Its work is intended to go a step further to add even more transparency to this process, with the goal being just as much public education as it is improving resilience.
However, the VVSG guidelines are nearly 20 years old and do not necessarily reflect current security standards. Furthermore, although they were updated in 2015, election security campaigners say this update contained an enormous loophole, in effect allowing the voting technology manufacturers to ignore the update as long as the proposed new system was billed as a 'modification' to an existing one. As such, they have been heavily criticised for effectively allowing manufacturers of voting technology to mark their own homework.
In testimony delivered to a Congressional committee in 2019, Lawrence Norden, deputy director of the Democracy Programme at NYU School of Law's, Brennan Center for Justice, said: “In contrast to other sectors, particularly those that the federal government has designated 'critical infrastructure, there is almost no federal oversight of private vendors that design and maintain the systems that allow us to determine who can vote, how they vote, what voters see when they cast their vote, how votes are counted and how those vote totals are communicated to the public. In fact, there are more federal regulations for ballpoint pens and magic markers than there are for voting systems and other parts of our federal election infrastructure.”
The EAC is currently transitioning to a new set of certification guidelines, dubbed VVSG 2.0, but whether or not these will be in place by the time the technology tested at the hackathon is deployed is unclear.
This article was updated on 26 September 2023 at 15:45 BST to correct an erroneous inference that the technology tested was set to be deployed at the 2024 US presidential election, which is not the case.